A new threat, hard to remove as so far nothing can stop it or identify it.
It might arrive as an email from UPS, a zipped file that once opened will deploy braviax.exe and burito.exe on your system.
The bogus Packet Service messages claim a parcel sent by the user was undeliverable due to an incorrect address. The user is instructed to open an attachment containing a copy of the invoice. The attachment actually contains a virus which may infect the user's computer.

http://support.bicestercomputers.co.uk/attachment.php?attachmentid=7&d=1216895417

http://support.bicestercomputers.co.uk/attachment.php?attachmentid=8&d=1216895426

Here is the removal procedure:
-------------------------------------------------------------------
Before we start fixing anything you should print out these instructions or copy them to a Notepad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(this is the drive that contains the Windows Directory, typically C:\SDFix). DO NOT use it just yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click [B]RunThis.cmd to start the script.

Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to reboot.
Press any Key and it will restart the PC.
When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.

----------------------------------------------------------------------------


Please perform a scan with Kaspersky Webscan Online Virus Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html)

1. Read the Requirements and Privacy statement, then select "Accept".
2. A new window will appear prompting you to install an ActiveX component from Kaspersky - "Do you want to install this software?”
3. Click "Yes" or select "Install" to download the ActiveX controls that allow ActiveScan to run.
4. When the download is complete it will say ready, click "Next".
5. Click "Scan Settings" and check the option to use the Extended Database if available otherwise Standard).
6. Click "Scan Options" and select both "Scan Archives" and "Scan Mail Bases".
7. Click "OK".
8. Under "Select a target to scan", click on "My computers.
Kaspersky does not remove anything but will provide a log of anything it finds.

Please post your feedback

We had this UPS virus on our work network with devastating results. 7 formatted computers, days of stress and hard work, installation and data recovery not to mention the costs or the business loss.
i believe that the one above is the new version as we had this problem more than 3 weeks ago
be very careful, this virus is for real

yes, it is the new variant of UPS.
here is the resume of emails i have sent to our customers so far:


VERY IMPORTANT! (23-07-08 / 3:30AM)
Do not open any emails with UPS tracking code/number subject as it might be the new UPS virus.
The virus deploys braviax.exe and burito.exe and the removal procedure might lead to windows corruption.
Kind regards,

UPDATE (24-07-08 / 7:10AM)
http://urbanlegends.about.com/b/2008/07/15/ups-virus-warning.htm
The new virus is apparently a variant of the one described in the link above.

UPDATE (24-07-08 / 7:20AM)
http://wordpress.com/tag/ups-virus/
The new variant.

UPDATE ( 24-07-08 / 7:30AM)
A possible removal procedure might be found here:
http://support.bicester-computers.com/forumdisplay.php?f=31

Apparently ComboFix can remove it via a special script muFch easier the the method posted above.
Also, F-Protect Antivirus can identify the UPS virus and quarantine it.
Download the 30 days fully functional trial from here and try it. (http://www.f-prot.com/)


1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll
C:\WINDOWS\buritos.exe
C:\WINDOWS\system32\karina.dat
C:\WINDOWS\karina.dat

Folder::
C:\WINDOWS\system32\wsnpoem

Driver::
Ppu54

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Ppu54.sys]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\buritos]
------------------------------------------------------------------------

3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

Download Combofix from here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) (also, read the tutorial on how to use ComboFIx (http://www.bleepingcomputer.com/combofix/how-to-use-combofix))

Have just found an easier and quicker way to remove UPS, DHL virus, burito.exe, braviax.exe and not only.:)

1. Download Remove Fake Antivirus
from here (http://freeofvirus.blogspot.com/)
Install, update then follow the scanning instructions.

2. Download Malwarebytes
from here (http://www.malwarebytes.org/mbam.php)
Install, update then follow the scanning instructions.

3. Download Panda Cloud
from here (http://www.cloudantivirus.com/en/)
Install and update and restart when requested.

In most of the cases you won't be able to download/update on the infected computer. Just use a working PC, download on a USB stick then move them onto the infected PC and just follow the instructions. Also, the safe mode scanning is recommended.

It will take from 30 min or maybe more (depends on the level of infestations) but trust me, it works. I have just cleaned 4 computers.


Please let us know if the above posted solution has helped you or not.
It is not only about helping others but helping yourself and making us better. Open an account with us today and get an automatic confirmation email with your username and password that will save you time in future.
(It is free and it takes less than a minute)
Thank you.

hi...i accidentally downloaded this ups virus

i have been trying to follow your instructions, but i am unable to open up the sdfix.exe file. any suggestions?

thanks

hi there
I would jump to the last post of my thread. (the last solution posted) and try it.
If you still want to open SD then just rename it to SD2 and try installing again.

Have just found an easier and quicker way to remove UPS virus, burito.exe, braviax.exe and not only.:)

1. Download F-Prot Antivirus
from here (http://files.f-prot.com/files/windows/fpav-windows-x86-hc-en.msi)
Install and update and restart when requested.

3. Download TR
from here (http://www.simplysup.com/tremover/download.html)
Install, update then follow the scanning instructions.

It might take 30 min or maybe more but trust me, it works. I have just cleaned 4 computers.


Fix listed here works!!! Thank you very much, Laurentio!! :) Well done!

Hi Kristine,
Glad it worked and thanks a lot for the feedback. xx
:cool:

I have tried the FP and TR fix you suggested, but while both programs found a few items they both seem to have missed buritos.exe (and a couple of others which I have been led to believe are related).

I have done this repeatedly, with rebooting.

I'd really like to know if there is something else I missed. (I did the updates and have rerun them in the correct order). I have even gone and hunted down the files that the logs claimed it was unable to remove (presumably due to locks), then removed them (with the help of a program from a Hiren's CD).

The programs are up to date.

I'd love another idea - I'm at a loss.

I may be quite wrong, but I feel that I may need a program that can run before Windows boots and erase freely anything that may be related. Am I off-base completely? Is there a program like this? Am I missing something?

Thank you for your help.

For what it's worth I have also just finished the ComboFix repair. And while it claimed to have found the files (buritos, etc.), once the system was rebooted those files had all reanimated.

Thank you for your input.

I have tried the FP and TR fix but they both seem to have missed buritos.exe (and a couple of others which I have been led to believe are related).
Could you please detail? What makes you believe that buritos.exe is still there and which ones are "the others" as you call them?

I may be quite wrong, but I feel that I may need a program that can run before Windows boots and erase freely anything that may be related.
Hirens CD?? It is bootable. You've just mentioned it.
Thank you for your help.

Anyway Maceter, don't worry, that's why we are here: TO HELP YOU GUYS!
Just details please.
regards,

I've attached the images list from the Task Manager (I couldn't show mem & cpu due to file size). But as you can see Buritos is still running, and I thought I saw bravia in there after the FP and TR cleaning, but I don't see it visible now.

I have been working on this computer over VNC and I'm preparing to drive there (about an hour away) today to try to do a "boot from CD" cleaning.

And while the Hiren's CD _is_ bootable (I installed it yesterday and have it running on that system with Daemon tools) I suspect the F-Prot and McAfee that are on the CD are older def files. F-Prot says I can download a newer def file, but I don't know how to modify the iso after I do that. Is there a way to update those files and _then_ burn the (new) iso on to a CD, or should I not worry about that? Are you suggesting that the Hiren's CD with F-Prot would (likely) work? I was kind of expecting you'd recommend an F-Prot "cd" download from somewhere (just for ease of use).

I hope that's enough details. Thank you again.

http://support.bicestercomputers.co.uk/attachment.php?attachmentid=9&d=1216991545

1) I have been working on this computer over VNC and I'm preparing to drive there (about an hour away) today.

2) I suspect the F-Prot and McAfee that are on the CD are older def files.

1) ... You have to be there to restart the PC after TR scan as TR takes Windows OS into a "frozen state" from where you have to physically restart the computer. Please read the scanning instructions carefully.

2) The above posted F-Prot link lets you download the latest version of the antivirus and it gives you free 30 days trial which means that it can be fully updated to the latest definition files.

3) Once there, AFTER you scan the PC with these two programs could you also run Hijackthis (download from here (http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis)) and post the log-file so I can have a look at it?

Thank you.

I am trying to run either f-prot or trsetup on an infected computer but it always says, "e:\trsetup.exe The specified path does not exist. Check the path, and then try again"

This happens whether its f-prot, trsetup, or even ANY program on the computer. How do I install those tools with this error occuring?

1) ... You have to be there to restart the PC after TR scan as TR takes Windows OS into a "frozen state" from where you have to physically restart the computer. Please read the scanning instructions carefully.
- I had a pair of hands local to the machine turn it off and restart it for me each time I have run it.

2) The above posted F-Prot link lets you download the latest version of the antivirus and it gives you free 30 days trial which means that it can be fully updated to the latest definition files.
- When I was talking about old def files, I was talking about the copy of f-prot that comes with Hiren's CD. I did the updates for the f-prot that I installed based on your instructions and have run that remotely, but I wouldn't know how to add the new def files to the copy of F-Prot that would run on Hiren's once I booted from that CD (presumably after changing the .iso).

3) Once there, AFTER you scan the PC with these two programs could you also run Hijackthis (download from here (http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis)) and post the log-file so I can have a look at it?
- It will be another couple of hours before I'm there. I've run Hijackthis, the results are below. (I have to say I'm really enjoying these tools you're pointing out - I feel like I've been blind all this time. :) )
Thank you.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:09:40 AM, on 7/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\pycron\pycron.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA BA.EXE
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\buritos.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\PVSW\Bin\w3dbsmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA BA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [buritos] buritos.exe
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Global Startup: Pervasive.SQL Workgroup Engine.Lnk = C:\PVSW\Bin\w3dbsmgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9D1EFCF-5CA9-4831-9FEF-BCC0A8C4F4D3}: NameServer = 66.96.30.99,66.96.30.91
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software International - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Python Cron Service (PyCron) - Unknown owner - C:\Program Files\pycron\pycron.exe
O23 - Service: VNC Server (winvnc) - RealVNC Ltd. - C:\Program Files\RealVNC\WinVNC\WinVNC.exe

--
End of file - 6630 bytes

There's a new one out - Appears to be sent from Jet Blue but it isn't really from them - I don't have a fix for it if a computer gets infected because thankfully my end user didn't open the zip file, but I thought I'd mention that there is a new offshoot of the UPS virus going around now....

The attachment is contains a zip file that has the Trojan.Zbot-1715 virus in it.

The text of the email is as follows:

-----Original Message-----
From: Cheryl Brandt JetBlue Airways [mailto:abrieljopi@boyerketchand.com]
Sent: Friday, July 25, 2008 6:14 AM
To: XXX@XXX.Com
Subject: Your order from {airlines} N8401582

Dear customers,
Thank you for using our new service "Buy airplane ticket Online" on our website.
Your account has been created:

Your login: XXXX
Your password: XXXX

Your credit card has been charged for $404.19.
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the airplane ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

Kind regards,
Cheryl Brandt
JetBlue Airways

***end email

In addition to not even being able to run f-prot.exe and trsetup.exe, i can't use sdfix either. When booting in safe made and trying to run the runthis.cmd file, it gives me a "the system cannot find the file c:\windows]systems32\cmd.exe"

ANy ideas here?

In addition to not even being able to run f-prot.exe and trsetup.exe, i can't use sdfix either. When booting in safe made and trying to run the runthis.cmd file, it gives me a "the system cannot find the file c:\windows]systems32\cmd.exe"

ANy ideas here?

move them all to C:\ drive, rename them then try again.
ex: TR to TR2.exe

I'm not sure I follow you. Everything I try to run that's an .exe doesn't work, regardless if it's on c:, e:, etc. or whether its tr.exe or tr2.exe.

Some programs work if i rename them to .cmd, but very few.


EDIT --- I was able to get trojan remover to work, but with the 7/23 (not 7/25) updates as I couldn't "update" since everything (including internet) was broken on the PC. However, running trojan remover with the 7/23 definitions (which is what was installed by default) and renaming it to .cmd from an .exe allowed it to run and remove the ups virus. After a reboot, a LOT more things are working (including .exe files). I'm still going to run F-prot just to be sure.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:09:40 AM, on 7/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal--
End of file - 6630 bytes

It's a mess in there. You have multiple infections. Vundo is there too.

Step1.
Download Smitfraud Fix from HERE (http://siri.urz.free.fr/Fix/SmitfraudFix.exe) (download it on C:\)

Step2.
Start, run, type msconfig, press enter.
Go to start-up, click on disable all then ok.
do not restart yet.

Step3.
Add-Remove
uninstall/remove Real VNC.
uninstall/remove Norton. (use this tool (ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe))
uninstall/remove PC Tools AntiVirus
uninstall/remove Java
uninstall/remove McAfee
uninstall/remove F-Prot
uninstall/remove TR

Step4.
restart the PC.

Step5.
restart the PC once again and access Safe Mode this time (F8key)

Step6.
In Safe Mode, go to Smitfraud Fix (C drive remeber?) and run it.

Boot back into windows when finished, run RT, restart, Install F-Prot and do a final scan.
Please don't forget to get back to us with a Hijackthis log after all.

regards,

EDIT --- I was able to get trojan remover to work, but with the 7/23 (not 7/25) updates as I couldn't "update" since everything (including internet) was broken on the PC. However, running trojan remover with the 7/23 definitions (which is what was installed by default) and renaming it to .cmd from an .exe allowed it to run and remove the ups virus. After a reboot, a LOT more things are working (including .exe files). I'm still going to run F-prot just to be sure.

well done.

There's a new one out - Trojan.Zbot-1715
***end email
thank you Kristine. Will keep an eye on this one too.
xx

I'm really trying to get f-prot going, but the trial key is never emailed to me. How long does it take for them to email you a trial key? I'm not confortable giving the laptop back to the end-user until I know it's showing "ok" from both f-prot and trojan remover.

I'm really trying to get f-prot going, but the trial key is never emailed to me. How long does it take for them to email you a trial key? I'm not confortable giving the laptop back to the end-user until I know it's showing "ok" from both f-prot and trojan remover.

try this one:
AE5QJE-362Z9T-Z6X4XT-6BJCT9-U4GM2C-ABLS

Just to make sure the system is clean I would personally install and scan the system with this program too. (download here (http://downloads2.superantispyware.com/downloads/SUPERAntiSpyware.exe))

This one got me on an early morning email check as well. I had limited results with F-Prot and TR. Mine had become quite messy as well and I was getting ready to do something drastic but I tried Malwarebytes in a last ditch effort and, to my great suprise, it worked perfectly. It will take much longer than the others suggested but as far as I can tell it's all gone. Here's the link if anyone else to give it a try.
Download here (http://www.malwarebytes.org/mbam/program/mbam-setup.exe)
Thanks for the excellent forum.
Good luck all.

Thanks. I'm on my way down there now. I'd like to clarify that when you say:

>> Boot back into windows when finished, run RT

do you mean their out of date Symantec, or did you mean "TR", or something else that I missed entirely?

Thanks. I'm on my way down there now. I'd like to clarify that when you say:

>> Boot back into windows when finished, run TR

do you mean their out of date Symantec, or did you mean "TR", or something else that I missed entirely?


Step6.
In Safe Mode, go to Smitfraud Fix (C drive remeber?) and run it.

Boot back into windows when finished with Smitfraud fix scan, once back to windows run TR (trojan remover) once again, follow the instruction, restart when requested, Install F-Prot and do a final scan.
Please don't forget to get back to us with a Hijackthis log after all.

This one got me on an early morning email check as well. I had limited results with F-Prot and TR. Mine had become quite messy as well and I was getting ready to do something drastic but I tried Malwarebytes in a last ditch effort and, to my great suprise, it worked perfectly. It will take much longer than the others suggested but as far as I can tell it's all gone. Here's the link if anyone else to give it a try.
Download here (http://www.malwarebytes.org/mbam/program/mbam-setup.exe)
Thanks for the excellent forum.
Good luck all.

Hi Colin,
Thank you for your post. It really depends on which UPS version you have on your computer.
Thank you for the link unfortunatelly I have "finished" all UPS viruses I had on my PC's. Could anyone try this new program and let us know if it works againsr UPS virus please?

Have just found an easier and quicker way to remove UPS virus, burito.exe, braviax.exe and not only.:)

1. Download F-Prot Antivirus
from here (http://files.f-prot.com/files/windows/fpav-windows-x86-hc-en.msi)
Install and update and restart when requested.

3. Download TR
from here (http://www.simplysup.com/tremover/download.html)
Install, update then follow the scanning instructions.

It might take 30 min or maybe more but trust me, it works. I have just cleaned 4 computers.

I was up until 2am trying to clean my wifes laptop. This one digs in deep! It's up and running creating 'buritos' even in safe mode!

F-prot didn't <seem> to do much (that I could tell), but TR did the trick! The buritos were still there, but since the process was no longer running, they were easily deleted.

There wasn't much useful info on the net last night, but this thread was a nice surprise this morning. Nice job!

Adam Koczarski
IT Director
Magnusson Klemencic Associates

Hi Adam,

Thank you for the feedback, you're more than welcome and feel free to call back anytime you need help. We're here 24/24 just buzz twice ;)

Regards,

I am attacked by UPS virus but followed the solutions I have to download through the internet.I can't even connect to the internet.Can you help?

Is there anyother way around fixing this virus?I cannot connect online on the computer.

This is interesting. How did you manage to read or post this message? If from somebody elses PC then get a USB stick, copy those given programs, move them to your infected PC and start scanning.
Could you also, fwd the infected email to me?
regards

I am happy to report that malwarebytes program cleaned the virus out of the computer
It took 11 hours of scanning
however, it was the only one that rid the virus
I was going to use kapersky- but malware bytes came first

Hi Saopaulo
Thanks for letting us know, your help is much appreciated.
Malwarebytes has been now added to the "final solution (http://support.bicester-computers.com/showthread.php?t=18)" post too.

Hi Laurentio

I was going out of my mind trying to get rid of the UPS virus and because I thought the F-Plot was easier to use I tried that first. It didn't work and I was tearing my hair out. I tried the original one you suggested, the SDFix and it has worked beautifully, much to my surprise

Thank you.

My next job was to reinstall windows, which I really didn't fancy doing.

Phew!

Alison

Thanks very much for help removing this bug. I used F-Prot first and then Trojan Remover. I think TR did the job. Thanks again.

Hi Alison, hi Imsamirjoshi
Thanks for your feedback, it is much appreciated!

As you can see there are times when the solution posted as the "the final (http://support.bicester-computers.com/showthread.php?t=18)" doesn't work. Therefore, we have to come back to the previous posted one. (this is an answer to someone who asked why don't we remove all previous posts and keep just the "final solution (http://support.bicester-computers.com/showthread.php?t=18)")

Removing UPS virus depends on the UPS virus version you have on your computers and also the presence of other infections on the system.

UPS virus has a rootkit, which makes detection and removal very difficult.

The deployed files are (in most of the cases):
c:\windows\braviax.exe
c:\windows\buritos.exe
c:\windows\system32\buritos.exe
c:\windows\system32\crypts.dll
c:\windows\system32\ntos.exe
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll
C:\WINDOWS\buritos.exe
C:\WINDOWS\system32\karina.dat
C:\WINDOWS\karina.dat

In addition, its rootkit kept adding cru629.dat to AppInit_DLLs.
The rootkit might block *.*.exe files from running. (you'll have to rename your *.*.exe scanning tools in order to run them.
You might also find additional driver files e.g Wel63.sys, Ppu54.sys or W432fsd.sys

The reason I have chosen F-Protect is that the rootkit will block Mcafee, Norton, Bullguard, Spybot SD, SuperAntiSpyware and any other comercial anivirus scanners.

It might also install "XPSecurityCenter" or WindowsAntivirus2009 or 2008, which are, again, rogue antispyware programs.

If this post is too complicated then just go back to final solution (http://support.bicester-computers.com/showthread.php?t=18), follow the instructions and voila, your PC is clean again:

I want to thank you! Your help was invaluable. I followed your instructions to remove some programs, reboot, use smitfraud, etc. But XP Security Centre still wouldn't die.

I wish I had tried Colin's suggestion (Malwarebytes) first, but I had already tried Windows Defender - that took care of the last bit.

At your request I have pasted a copy of the HijackThis log below.

Knowing that Norton, and the others missed this one, I'd REALLY love your recommendation on a long-term defensive solution(s). Weighing the usual "requirements" as much as possible. ie: Free, or as cheap as possible, not a resource hog, and SIMPLE (my users are REALLY not good at even small decisions).

Thank you.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:09:03, on 7/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\pycron\pycron.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA BA.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PVSW\Bin\w3dbsmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\BusinessVision\BusinessVision.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA BA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Pervasive.SQL Workgroup Engine.Lnk = C:\PVSW\Bin\w3dbsmgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9D1EFCF-5CA9-4831-9FEF-BCC0A8C4F4D3}: NameServer = 66.96.30.99,66.96.30.91
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software International - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Python Cron Service (PyCron) - Unknown owner - C:\Program Files\pycron\pycron.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 5356 bytes

Hello Adam and welcome back.
Let's try NOD32 Smart Security. It comes with 30 days trial, see if it suits your needs and it does and if you like it then just buy it from NOD's website. Very good, very "quiet" exactly what you need.
See here:
NOD32 Full Trial for 30 days (http://www.eset.com/download/free_trial_download_int.php)
NOD32 Prices (http://www.eset.com/purchase/index.php)
Kind regards,

I’ve been trying to remove the UPS virus using the methods you described. It seems that all of the files have been deleted, with the exception of the yellow screensaver that screams that there is a virus present. Trojanscan says that it detected two restrictive Windows Explorer policies – one that hides the screensaver tab and another that hides the background tab. How do I reset those settings?



Since my last posting, I re-ran Combofix and eureka, it worked!! Many, many thanks for your help.

Hi there,

Read this tutorial (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) on how to use combofix then when ready download it from here. (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Just follow the instructions, it should remove the fake screen and any remaining malware.

:)

Brilliant! Thank you for directing me to sdfix

My computer has never been cleaner.

I was just on the point of re installing OS.

So I return to the place I grew up for an answer

Hey you are not related to an old rock singer are you?

If so that is me!

and thank Mr Manchesta too!

Hi M-Turkey,
I'm glad you've found some help on our forum. Don't forget to save it to your IE's favourites and do visit us back in future for any help you might need.
Have a nice day;)

Hi again Laurentio

I wanted to ask you something....after I had run SDFix, I then ran Malwarebytes and the PC seemed fine. About an hour later my background disappeared! Completely off the system altogether. Does that mean that I still have a virus?

Regards:confused:

Alison

Hi Alison and welcome back,

It is strange that the "background" (wallpaper?) has disappeared after 1 hour.
Usually the scanning tools/programs disable the wallpapers or screensavers you might have and I believe that in your case you've notice the missing wallpaper after the 1st restart only.
Would that be the case? Not too sure; then let's have a look at a hijackthis log file. Can you scan and send it over?

Hi

I'm trying to install Trojan remover on the infected computer and I get the following error:

C:\Program files\Trojan Remover\ TRshlex
Unable to register the DLL/OCX: RegSVR failed with exit code oxc0000005
Click retry to try again, Ignore to proceed anyway, or abort installation.

I can't beleive I opened that file...

any help would be appreciated.

~AJS

nevermind- restarted in safe mode and am running TR. It seems to be finding the files that are effecting my computer. Hopefully I won't need anymore help.

hi Asolari,

don't worry, we all make mistakes. it takes a split second...
back to your problem:
the file you try to run is a bit strange: trojan remover exec look pretty much like this:
trsetup.exe
why is it yours:
TRshlex?

second:
is that XP or Vista? 32 or 64?

please advice.

Working now? I would scan the PC with Malwarebytes too. Usually removes any traces left by TR.

hi Asolari,

don't worry, we all make mistakes. it takes a split second...
back to your problem:
the file you try to run is a bit strange: trojan remover exec look pretty much like this:
trsetup.exe
why is it yours:
TRshlex?

second:
is that XP or Vista? 32 or 64?

please advice.

Hi laurentio,

Everything seems to be going ok now. I'm now running the anti-malware. I'll post again to confirm issue is solved, but so far it's been an east fix. I thought I was going to have to re-install. Thanks a million.

Thank you so much for the FINAL SOLUTION: I had 2 laptops and 1 workstation infected (even our IT guy who comes in didn't know how he was going to fix it). Thank you :D

Ok. I followed all 3 steps in your final solution and computer is running very smoothly (better than it has in a long time), however I'm unable to send or recieve through Outlook. Do you think this is related? I'm getting the following message:


Task Incoming - sending reported error (ox800421oB) Operation tuned out waiting for the SMTP server.

And then Outlook tries to send again. It just a continuous loop. Should I re-install Outlook?

At one point during the fix I did get a message about an Outlook registration file being renamed. I didn't write it down and I can't seem to get that message to show up again. Even after restarting. Any thoughts

I'm running XP and Outlook 2003.

AJS

Tarmi, Asolari, you're more than welcome!

Asolari, this is a dif. issue, Windows related. Will you please open a new thread or post it to the correct location next time? Thank you.
Now, conform to your description I believe that you can receive emails but cannot send. Am i right?
If you cannot send then it is an ISP issue.


Sending reported error (0x8004210B)

Now, conform to your description I believe that you can receive emails but cannot send. Am i right?
If you cannot send then it is an ISP issue.
Change the outgoing SMTP port from 25 to 587 and it should work.
Please advice.

Hi Laurentio,

Just wondered if you have heard of SDFix.exe not installing?

I downloaded it, but when I double click on it and click on the Run button, nothing happens. I can't find the RunThis.cmd file or a C:\SDFix directory.

If you have any suggestions, I'd really appreciate it as I'd love to get rid of the buritos file.

Thanks in advance for your help.

Athabasca

hi Athabasca,
try this:
------------------------------------------------------------------------
Download SDFix from here (http://download.bleepingcomputer.com/andymanchesta/SDFix.exe) and save it to your Desktop
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.cmd to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum)---------------------------------------------------------------------------------------------
Or, try Malwarebytes. Download from here (http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html).

Tarmi, Asolari, you're more than welcome!

Asolari, this is a dif. issue, Windows related. Will you please open a new thread or post it to the correct location next time? Thank you.
Now, conform to your description I believe that you can receive emails but cannot send. Am i right?
If you can send then it is an ISP issue. Change the outgoing SMTP port from 25 to 587 and it should work.
Please advice.

It was ISP issue. fixed now. Thanks again for your help.

my pleasure ;)

Hi Lurentio,

Thanks for the link again. It all worked this time. The fix actully didn't remove buritos, but it removed another 10 trojans from my system and I was able to remove buritos from the Sysem32 directory and from all the places in Registry as well as going into msconfig and removing it from the startup which is what was making it run everytime you restarted the computer.

All is fixed now. I can post the log if it would be of interest.

Cheers,

Athabasca

Sorry, I seem to have spelled Laurentio incorrectly the last time, but I'm sure you know who I mean!

Athabasca

Hi Athabasca, that's fine, I'm glad you've sort it out.
Regards,
;)

Hi All,

As a system administrator, I've had a couple of my users' computers infected with this virus, and I thought I'd let you know of what worked for me.

I did the following in the following order, all in safe mode. (note: whenever the computer rebooted I sent it back to safe mode)

1. Combofix.exe as per instructions here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
2. SDfix.exe as per instructions in this thread
3. Torrent Remover (tr) as per instructions in this thread
4. MalwareBytes as per instructions in this thread.

HiJackThis now shows the systems as clean.

Hope this helps anyone who is stuck.

meofcourse

Hi Meofcourse,
This is an excellent post and I believe that it helps not only against UPS virus but against a large spectrum of malware and viruses too.
Well done and thank you very much for your post.
:)

Hi,

I had a user execute the UPS trojan. I've been using all of the methods listed in this thread, in addition to Lavasoft Ad-Aware & Spybot Search & Destroy.

Lavasoft offers a free version of their program at www.lavasoftusa.com.

I found a free version of Spybot here: http://www.download.com/Spybot-Search-Destroy/3000-8022_4-10122137.html?hhTest=1

I also ran HijackThis just to double-check to make sure that everything was back to normal. It looks good to me, but can someone else who is familar with HijackThis take a look at my log. I feel that a fresh pair of eyes can sometimes detect that which one's own cannot.

Thanks in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:35:36 PM, on 7/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PROMon.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\VISION~2\OneTouchMon.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Aurora Software\TransDoc\ImagingComms.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Aurora Software\TransDoc\AProDriver.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Sensormatic\NetworkClient\Bin\NtlxEventhandl er.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~2\OneTouchMon.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [TransComms] C:\Program Files\Aurora Software\TransDoc\\ImagingComms.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TransFax] C:\Program Files\Aurora Software\TransDoc\\AProDriver.exe -u SYSDBA -p masterkey
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Intellex Event Handler.lnk = C:\Program Files\Sensormatic\NetworkClient\Bin\NtlxEventhandl er.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files\Eltima Software\Flash Decompiler Trillix\saveflash\iebt.dll
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files\Eltima Software\Flash Decompiler Trillix\saveflash\iebt.dll
O9 - Extra button: Extract Flash Video with Bytescout... - {B094BF5C-3D6F-432C-856F-65092EBE575A} - C:\Program Files\Bytescout SWF To Video Scout\flashextract_ie.html
O9 - Extra button: (no name) - {DC0A10D2-F013-454A-860E-FD320BA6D989} - C:\Program Files\Bytescout SWF To Video Scout\flashextract_ie.html
O9 - Extra 'Tools' menuitem: Extract Flash Video with Bytescout... - {DC0A10D2-F013-454A-860E-FD320BA6D989} - C:\Program Files\Bytescout SWF To Video Scout\flashextract_ie.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\Gateway\helpspot\TechTools.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1209671297843
O16 - DPF: {6CCE3920-3183-4B3D-808A-B12EB769DE12} (CSS Web Installer Class) - http://www.commandondemand.com/eval/cod/cabs/cssweb.cab
O16 - DPF: {6D868B99-8B01-4B25-9BD1-ED37AFDF5E29} (Ontrack Data Recovery Verifile Data Reports) - http://www.ontrackdatarecovery.com/verifile/npvfasp.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\Gateway\helpspot\RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - file://C:\Program Files\Gateway\helpspot\StartFirstControl.CAB
O16 - DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} (XPLControlProject.XPLControl) - file://C:\Program Files\Gateway\helpspot\XPLControl.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{C32608B5-EB51-4BF1-B167-DA6AB7AAA11D}: NameServer = 192.168.1.253,64.80.255.250,64.80.255.251
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

--
End of file - 8758 bytes

hi Sammy,
it all looks clean to me. Well done. I would replace McAfee with NOD32 thou'
;)

Hi,
had the problem with UPS-virus too.
The attachment was executed and the computer was infected.
Using the "final solution", now everything´s working fine again.
By the way, another infection was discovered and removed too.
Thanks a lot.
DieterH

Well done Dieter and thanks for letting us know.
;)

My brother activated the UPS virus on his computer, and has given it to me to try to fix for him. Nothing seems to work properly....even in safe mode. When WinXP boots, it immediately logs off the user. I can't get to a screen with a "start" to access msconfig. In safe mode it seems to freeze up, leaving me with a black screen with "safe mode" in the corners. I've loaded TRemover from another computer onto my USB stick, but can't get to a point where I can access it. Any ideas???

Doesn't sound good at all.
You have something like 10% chances to fix it.
1. Unplug the drive from the infected PC (C drive)
2. Plug it onto the other computer (the one you've used to copy TR from onto your USB stick)
3. Once there scan the infected drive with all above mentioned tools.
Anyway, I believe that you have to reinstall...:(
Please let us know how it goes.

I connected the drive to the other computer, and downloaded, UPDATED, and ran Trojan Remover, Malwarebytes' Anti-Malware, and F-Prot Antivirus. TR found 6 unrelated files (adware), Malware found 1 more (adware), and F-Prot came up with zero! However, during the F-Prot scan, I was watching as it scanned the "Windows\System32\" files, and it paused long enough on BOTH of the braviax.exe and burito.exe for me to see that they WERE THERE! But the scan ignored them! What do you suggest I do?
:confused:

Ive got the same problem (cant get into my Laptop cos it just keeps logging straight off) you say only like a 10% chance of a fix.:eek: so im really better off just taking my HDD some where to back it up and then tipping a glass of water on my Laptop and claiming from the insurance...?:(

Hello - I've followed your instructions and used my laptop to copy the various removal tools onto a USB stick. But what now? My PC won't run any of them. I don't understand how other people on this thread are able to run scans, etc. My PC is in safe mode, but it refuses to run anything. Is there something I've not done?

Have just found an easier and quicker way to remove UPS virus, burito.exe, braviax.exe and not only.:)

1. Download TR
from here (http://www.simplysup.com/tremover/download.html)
Install, update then follow the scanning instructions.

2 Download Malwarebytes
from here (http://www.malwarebytes.org/mbam.php)
Install, update then follow the scanning instructions.

1. Download F-Prot Antivirus
from here (http://files.f-prot.com/files/windows/fpav-windows-x86-hc-en.msi)
Install and update and restart when requested.

In same cases you might not be able to download/update on the infected computer. Just use a working PC, download on a USB stick then move them onto the infected PC and just follow the instructions.

It will take from 30 min to an hour or maybe more (depends on the level of infestations) but trust me, it works. I have just cleaned 4 computers.


This blog has a solution that does not require downloading other software. You can keep your computer offline during the fix process to avoid having the virus downloading any more damaging software.

http://computerkevin.blogspot.com/2008/08/ups-virus-fixed.html

Excellent solution (provided that all you have bad on your PC is UPS virus)
Unfortunately majority of people landing on this forum has more than just UPS virus...
Anyway, back to the above mentioned link:
- Just make sure you are in safe mode and you have "show hidden files" enabled.

Followed weetan's "http://computerkevin.blogspot.com/20...rus-fixed.html" suggestion.....located and deleted files, deleted registry entries, all "according to plan" using alternate computer. Reinstalled drive in original computer, and back to square one....can't even load windows, can't operate in safe mode, can't do anything. So.....my question is this (and pardon my ignorance)....
What is it that this virus destroyed in the computer?

I would have tried the final solution posted on the forum and if that wouldn't have worked I would have tried (only then) weetan's solution. Follow the whole thread, don't just jump to the last posts looking for a magic solution.

I managed to sort my UPS Virus out. I cudnt get into my pc, jus kept loggin out. So i took out my Hard drive put it into another PC and scanned it with the software you guys recommended. This didnt completely remove it so i backed up my personal stuff (pictures, school work ect.) and formatted the drive. Put all my m-soft office bak on and all the other stuff and now its working better and faster than before. so if you are having the logging in problem i can assure you that this works as a last resort.;)

08-04-2008 "In need of HELP!"
08-04-2008 "What now??"
08-05-2008 "Frustration"

So.....any suggestions?

Followed weetan's "http://computerkevin.blogspot.com/20...rus-fixed.html" suggestion.....located and deleted files, deleted registry entries, all "according to plan" using alternate computer. Reinstalled drive in original computer, and back to square one....can't even load windows, can't operate in safe mode, can't do anything. So.....my question is this (and pardon my ignorance)....
What is it that this virus destroyed in the computer?

God knows what you have deleted using "alternate computer"....using an alternate computer therefore a different operation system lets you edit the registry of that OS only but not the one you have to clean... "According to plan"? Which plan?
:mad:

08-04-2008 "In need of HELP!"
08-04-2008 "What now??"
08-05-2008 "Frustration"

So.....any suggestions?


Let's sort this out together:
Are there any error messages that the system comes up with?

Hello - I've followed your instructions and used my laptop to copy the various removal tools onto a USB stick. But what now? My PC won't run any of them. I don't understand how other people on this thread are able to run scans, etc. My PC is in safe mode, but it refuses to run anything. Is there something I've not done?

mine had the same problem. then i have moved the files again on a different usb stick and they did work fine this time.

Let's sort this out together:
Are there any error messages that the system comes up with?

No error messages, with the exception of one screen that shows up with a warning: "Warning...computer infected....etc. etc."

When I boot in safe mode, winxp will open as far as the log in screen. When I log in (under ANY user) it begins to load, then windows closes itself, and I'm back to the log in screen....can't get any further. I've also tried booting in safe mode with command prompt, and I just get the black safe mode screen, no additional command prompt screen, so I'm unable to do anything at that point other than shut down.

Laurentio, I'm sure you have questions for me, if it's easier for you to contact me via my email, feel free to do that....and THANK YOU!

I am following the steps to the final solution--- so good so far. I am on the F-prot step right now. Here were my steps thus far:

1. Ran SDFix in ssafemode (initial solution)
2. Ran Trojan Remover (step one in final solution)
3. Ran Malwarebytes' (step two in final solution), which apparently cleans the files the Trojan Remover renamed (i.e. audio.dll.vir, video.dll.vir, etc.)

I will run F-Prot shortly and I shall post my results via Hijackthis log. Also, I turned off the system restore point in Xp so that all restore points were deleted just in case the trojan buried itself even deeper.

I followed the steps to the final solution and it looks like everything is ok. I would like another set of eyes to look a the hijackthis file...

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\IBackup Drive\IBackup Drive.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AzureBay\AzureBay Screen Saver\WPChanger.exe
C:\IBackup Drive\SSLIDrive.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

Here is the other part of hijackthis results-- couldn't post in the previous due to length...


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IBackup Drive] "C:\IBackup Drive\IBackup Drive.exe" Minimize
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Wallpaper Changer.lnk = C:\Program Files\AzureBay\AzureBay Screen Saver\WPChanger.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c16/v21.155/qboax10.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD40/JSCDL/jre/6u5-b19/jinstall-6u5-windows-i586-jc.cab?AuthParam=1210180541_64a8373081f9180fead1c7 e2bdad1396&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD40/JSCDL/jre/6u5-b19/jinstall-6u5-windows-i586-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software International - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: Intuit Fuse Service - Intuit - C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS. exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe

No error messages, with the exception of one screen that shows up with a warning: "Warning...computer infected....etc. etc."

When I boot in safe mode, winxp will open as far as the log in screen. When I log in (under ANY user) it begins to load, then windows closes itself, and I'm back to the log in screen....can't get any further. I've also tried booting in safe mode with command prompt, and I just get the black safe mode screen, no additional command prompt screen, so I'm unable to do anything at that point other than shut down.

Laurentio, I'm sure you have questions for me, if it's easier for you to contact me via my email, feel free to do that....and THANK YOU!

well well well...this is not UPS...this is something else...It sounds like your profile was somehow locked on reboot, let's open e separate thread only for this issue.

here it is the new thread: I cannot log into Windows XP. (http://support.bicester-computers.com/showthread.php?p=150#post150)

hi Teufelhunde93,
It looks clean to me. I would anyway remove Mcafee as it didn't help against UPS and replace it with a proper antivirus. Doing so would also improve the speed of your PC with at least 30%.
Regards,

Laurentio,
Can I assume the Final Solution as posted [#5 updated last on 26 July] incorporates the latest recommendations of the Forum.
Insummary, three steps...
1) Download TrojanRemover,
2) Download Malwarebytes, Install and Update,
3) Download F-Prot Antivirus,

In Post #41 NOD32 is suggested, may I substitute NOD32 for F-Prot in the third step above...

I have a machine in quarrantine, pending confirmation and clarification, thanks...

Robert...

Laurentio,
A few things I have noticed, in trying to trouble shoot UPS Virus...

a) I suspected that my desktop had been hijacked, and found that the Control Panel, Display Properties, Desktop and Screen Saver tabs are missing [and incidently the Categories Option for Control Panel is missing] A fix from XoftSpy
restored the Desktop and Screen Saver tabs, enabling me discover b)

b) the Windows Restart screen that occasionally appears is not an official Windows Restart screen it is a copy inserted into a Screen Saver, and includies the nasty Blue Screen requesting and F8 to continue. It has a strange name like lphc50uj0et8l and corresponds to the program I find running in Task Manager.

c) McAfee is blocked from running On Access Scan, so the Notebook is quite vunerable during this trouble shooting. I have it now permantly quarrantined [off network], and transfer files via CD-R.

d) I note on two occassions, that at about the same time as I plugged in the Ethernet Cable the Notebook automatically shutdown and rebooted. Nasty...
Hence the quarrantined state. UPS Virus dug in deeper since the last of these restarts, only the second incident.
New Viruses C:\Windows\System32\vsnpoem\vidoe.dll, and audio.dll appeared, both are related to Infoseeker Banker C Trojan.

Once I have clarification [see previous posting] I will launch into teh Final Solution.

Thanks a million for administering this Forum, I suspect there a still many out there who are as stuck as I have been.

XoftSpySE did not work, they did create a fix that got my desktop back, and they are still working on ****ysing the logs and symptoms I have sent them.
It would be nice to beat them to get this UPS Virus cleaned out...

Robert...

Hi Robert,

1: CD or USB stick and move the files to your computer.
1b: Make sure you uninstall McAfee or any other AV solutions you might have.
2: Final solution is the one you need.
3: Yes, replace F-Protect with NOd32.
4: Once cleaned run Tune-Up Utilities 2008 from here. (http://www.tune-up.com/download/)

Good luck.

I got the UPS email and clicked on the attachment, but closed it as soon as it opened. On another website I was told where to find the braviax.exe and burito.exe 'files', but they weren't there. I've done multiple virus scans and nothing has shown up. Does this mean I don't have the virus? I only opened the attachment for a split second, and my computer hasn't been acting slowly. Does the trojan act as a keylogger, as I need to buy something online but am worried that I might still have it. Thanks.

Hi JD,
Just follow the final solution posted a few pages before and if the Trojan is still there it will just remove it. If it is not there anymore I don't believe that scanning the PC would do any harm.
Regards,

Laurentio...
Today, the Notebook is looking good, I will confirm in a few days if it remains clean...
XoftSpySE provided me with a copy of SmitFraudFix, which in safe mode, detected and deleted the core virus programs, but missed a few remnants,
The Scan Report was over written with the Final SmitFraudFix Log.txt [attached].

Key observations on re-boot...
McAfee [4.5.1] System Scan could be enabled,
Control Panel Categories View restored...
Desktop and Screensaver restored to default, an my preferences allowed.
iphc50uj0et8l.exe observed to be still running in Task Manager...

I ran Malwarebytes, scanned and rebooted.
Malwarebytes identified and eradicated...
iphc50uj0et8l.exe, sysrest32.exe, audio.dll, video.dll, and ntos.exe,
and a number of other Trojans...
see report Malwarebyte Log-08-19-2008 (18-13-45).txt [attached]

Next, I unistalled McAfee 4.5.1, and loaded ESET NOD32 Antivirus,
Nice, NOD32 is very good, very quiet, and much lower overhead.
A complete scan located and removed beep.sys, and
five what appear to be remnants of XPAntivirus and FakeAlert Torjans
refer attached log NOD32 Log [080819].txt

Thank you again, for your patience and perseverance...
I will let you know the status with an update here in a few days time.

I cannot really find the words to adequately express my thanks.
This is the first time I have been caught by a Virus/Spyware thingy, this UPS Virus and associated XPSecurityCenter fraud are very cleverly crafted, and were able to deactive McAfee, reboot and connect to Internet at will, and so potentially so much damage if unchecked. Quarantining the Notebook I believe was vital to containing the damage...

Robert.

Hi Robert

Glad you have found the needed help on our forum and thanks for the nice words. You are more than welcome and please feel free to call back at any time.
I had a look at your logs and they all look clean to me. Did you run Tune-Up Utilities software? Give it a try, especially the registry cleaner option.

Regards,

TO ALL:
Please let us know if the above posted solution has helped you or not.
It is not only about helping others but helping yourself and making us better. Open an account with us today and get an automatic confirmation email with your username and password that will save you time in future.
(It is free and it takes less than a minute)
Thank you.

Thanks laurentio - It seems that I don't have the UPS virus, but now I've had three other trojans spotted by AVG, that I have deleted. They all had .zyg on the end of their names. Could this be related to the UPS virus? Also, can the UPS virus log keys, and is their any chance that you know if .zyg trojans can log keys? I really need to buy something on the internet but am worried about giving away bank details. And, for future reference, if I know the name of a virus that I think I might have, will putting its name in Start --> Search do any good in finding out if it's on my system?

thanks again

Jonah

hi JD,

There is something I cannot understand. People, why do you keep the same antivirus on your system as long as having it there from the begining didn't help at all??? Uninstall it and get some proper software...as unfortunately AVG cannot remove completely these "bifrose" family trojans.

Back to your .zyg files... that's not UPS virus it is Bifrose therefore I am going to open a new thread here (http://support.bicester-computers.com/showthread.php?p=174#post174), post a description and a quick removal tool.

Don't even think about doing any on-line banking until you scan the whole system at least once with the above posted tool then with NOD32 Antivirus. (there is a free download available, see the previous posts)

Good Luck.

Okay, I've downloaded Malwarebytes, and it did a scan, and found nothing. So I assume I don't have the UPS virus. Can Malwarebytes find .zyg 'bifrose' trojans? And also, is it safe to have AVG, Malwarebytes, and NOD32 running on the same computer? AVG was recommended by another computer specalist* and it was the antivirus that caught the .zyg trojans in the first place?

*It blocks it out if I write spe******t correctly????

read this:
http://support.bicestercomputers.co.uk/showthread.php?t=25
I hope it answers most of your questions.
Malwarebytes with NOD32 is just perfect.

So I should uninstall AVG and buy NOD32, even though I'm still risking giving away my bank details buying it?

Do you read my posts properly?

I said that NOD32 gives you 30 days free trial.
Just download it and scan the PC. If you like it then buy it in 30 days.

Sorry, I'm just trying to rush through everything! Ok, so I'll download NOD32, then uninstall AVG, and then do a virus scan with NOD32. There are two computers in the house- can we get free trials on both of them?

Hi Laurentino, I have just spent all yesterday afternoon trying to rid a machine of the consequences of opening the new variant UPS virus, ran out of time so going back to the machine later this morning to try and finish resolving the issues.

I ran across your forum last night whilst researching the problem from my home so I'll be trying your latest advice in a couple of hours.

I know the virus's that come with now infamous UPS email ie Burrito, Braviax, Katrina etc, but have you come across a file called yej05.sys, that resides in windows\system32\drivers\ subdirectory? Unable to remove by any of my normal methods (kill, autoruns, etc) even in safe mode and with the work-around of renaming the tools to start up in the presence of the above named virus's.

I have googled the yej05 file name and it just comes back with hits from russian websites with no real information about what it is etc.

Do you know this file or have you come across it in your anti-spyware/malicious software removal work?

Any help or advice greatly appreciated, I'll leave another message after trying your new method to get rid of the base UPS virus.

Sorry, I'm just trying to rush through everything! Ok, so I'll download NOD32, then uninstall AVG, and then do a virus scan with NOD32. There are two computers in the house- can we get free trials on both of them?
Yes, you can have it on both computers.

...have you come across a file called yej05.sys, that resides in windows\system32\drivers\ subdirectory? Unable to remove by any of my normal methods (kill, autoruns, etc) even in safe mode and with the work-around of renaming the tools to start up in the presence of the above named virus's...

Hi Dominic and welcome to our support forum.

yej05.sys is definitely a service-driver file of a rootkit (Win32/Wigon.CK)that deploys files (running services) inside system32\drivers. See below:


C:\WINDOWS\System32\Drivers\Sxd15.sys');
C:\WINDOWS\System32\Drivers\Agl27.sys');
C:\WINDOWS\System32\Drivers\Chm05.sys');
C:\WINDOWS\System32\Drivers\Cin38.sys');
C:\WINDOWS\System32\Drivers\Eko62.sys');
C:\WINDOWS\System32\Drivers\Glp51.sys');
C:\WINDOWS\System32\Drivers\Msx62.sys');
C:\WINDOWS\System32\Drivers\Nty84.sys');
C:\WINDOWS\System32\Drivers\Pua27.sys');
C:\WINDOWS\System32\Drivers\Pua51.sys');
C:\WINDOWS\System32\Drivers\Puy50.sys');
C:\WINDOWS\System32\Drivers\Qvb61.sys');
C:\WINDOWS\System32\Drivers\Rwc62.sys');
C:\WINDOWS\System32\Drivers\Sxd05.sys');
C:\WINDOWS\System32\Drivers\Vbg40.sys');
C:\WINDOWS\System32\Drivers\Yei48.sys');
C:\WINDOWS\System32\Drivers\Yej05.sys');

The best removal tool in this case is AVZGuard.
The latest version is AVZGuard 4.30 and it can be downloaded from here (http://z-oleg.com/secur/avz/download.php)

Thank you very (add several more very's if u want) much! This is, as you said, a tough one to get rid of, but I followed your steps at the bottom of your thread and it worked just great! No more problems! :You are helping a lot of people, my friend.

Richard

I should add this is in regard to that UPS buritos.exe virus!

Richard

Dear Richard,
You see, words like these and people like you make us justify what we are doing. It is me who should say thank you, welcome to our forum and have a long and nice stay amongst us.
Kind regards,

Laurentio

Thanks the 'final solution' worked well, albiet I used the already installed TREND rather than the reccomended one. TREND seems ok but couldn't get rid of the Trojan, and their own reccomended removal method was a waste of time as it couldn't attack the cause

cheers

Robert

Laurentio,
As promised, my feedback on the status of the Final Solution...
My Notebook is clean, and continues to perform better than ever before, thanks.
NOD32 is just great for me, it is quiet, especially on start up, and carries very little baggage.
McAfee just seemed to get fatter and fatter, consumed most of my very limited core memory [Sony VAIO PCG-XE17 maxed out at 256 MB] .

I have two minor but annoying problems, one resolved, the other outstanding...
a) Internet Shortcuts: Now resolved...
I struggled to restore [or create new] Internet Shortcuts, within My Favourites in Internet Explorer, on my Desktop, and in Start, All Programs, Folders.
This resolved today, by downloading Internet Explorer Version 7 latest version from Microsoft, and installing it over the top of the older version [Version 7.0.5730.13 is new and updated, Version 7.0.5730.11 was the old].

b) Internet Explorer Homepage is stuck on http://www.msn.com...
The Home page setting in Internet Explorer remain set, but have no effect. Internet Explorer always starts up with http://www.msn.com as the home page, which is very very annoying.
Newsgroup microsoft.public.internetexplorer.general has a few posts on this topic, and appear to blame a setting in third party packages that locks the Home Page.
They list typical packages as
Ad-aware's Ad-Watch, Spybot Tea Timer, SpywareBlaster, SpySweeper, Spyware Doctor, CounterSpy,
AVG Anti-Spyware, Norton AntiVirus, McAfee VirusScan and/or Antispyware, NOD32, and Zone Alarm.

I cannot find any setting in NOD32, so remain baffled at this time...

Thanks again, Your forum and your personal support has been just marvelous...

Robert

hi Teufelhunde93,
It looks clean to me. I would anyway remove Mcafee as it didn't help against UPS and replace it with a proper antivirus. Doing so would also improve the speed of your PC with at least 30%.
Regards,

Thanks for your help Laurentio by posting this information for all of us to use to remove this very annoying virus!

By the way, what anti-virus do you recommend?

NOD 32.
See more here:

http://support.bicestercomputers.co.uk/showthread.php?t=25

Laurentio,
On my last posting, I had one remaining problem, now resolved...
Internet Explorer Homepage was stuck on http://www.msn.com

After much trawling, I came across a very simple answer...
Open Internet Explorer, and select Tools, Internet Options, Advanced, and Reset…
Refer: Item 4, of Microsoft Browser Hijack discussion:
http://www.microsoft.com/protect/computer/advanced/browserhijack.mspx

I hope this may assist others who may still be cleaning up after removing the last remnants of the UPS Virus infection...

A simple procedure for Locking and Unlocking the Homepage, once set, is provided by several sites, the best is packaged at...
http://wwatsonweb.co.nz/homepagelock/

Robert...

Hi Robert,
Thanks for the nice post; we all find it very good and well documented!
Looking fwd to more and more posts like this one.
Regards,

A new threat, hard to remove as so far nothing can stop it or identify it.
It might arrive as an email from UPS, a zipped file that once opened will deploy braviax.exe and burito.exe on your system.
The bogus Packet Service messages claim a parcel sent by the user was undeliverable due to an incorrect address. The user is instructed to open an attachment containing a copy of the invoice. The attachment actually contains a virus which may infect the user's computer.

Here is the removal procedure:
-------------------------------------------------------------------
Before we start fixing anything you should print out these instructions or copy them to a Notepad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(this is the drive that contains the Windows Directory, typically C:\SDFix). DO NOT use it just yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click [B]RunThis.cmd to start the script.

Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to reboot.
Press any Key and it will restart the PC.
When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.----------------------------------------------------------------------------


Please perform a scan with Kaspersky Webscan Online Virus Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html)

1. Read the Requirements and Privacy statement, then select "Accept".
2. A new window will appear prompting you to install an ActiveX component from Kaspersky - "Do you want to install this software?”
3. Click "Yes" or select "Install" to download the ActiveX controls that allow ActiveScan to run.
4. When the download is complete it will say ready, click "Next".
5. Click "Scan Settings" and check the option to use the Extended Database if available otherwise Standard).
6. Click "Scan Options" and select both "Scan Archives" and "Scan Mail Bases".
7. Click "OK".
8. Under "Select a target to scan", click on "My computers.
Kaspersky does not remove anything but will provide a log of anything it finds.

Please post your feedback

Laurentio, UDAMAN!!!!!! your SDFix script is awesome! I ran it remotely using a Remote Desktop solution in Safe Mode w/ Networking enabled and the damned UPS virus is freak'n GONE! You're a true asset to the Internet/PC user community. Thanks a million!

you're welcome ;)

Scan statistics:
Files scanned: 27871
Threat name: 6
Infected objects: 28
Suspicious objects: 0
Duration of the scan: 00:09:38


File name / Threat name / Threats count
C:\WINDOWS\system32\winaux.drv/C:\WINDOWS\system32\winaux.drv Infected: Trojan-Downloader.Win32.Agent.acxl 12
C:\WINDOWS\System32\winaux.drv/C:\WINDOWS\System32\winaux.drv Infected: Trojan-Downloader.Win32.Agent.acxl 10
svchost.exe\svchost.exe/svchost.exe\svchost.exe Infected: Trojan.Win32.Agent.goa 1
svchost.exe\svchost.exe/svchost.exe\svchost.exe Infected: Trojan.Win32.Agent.ady 1
C:\Program Files\rhc7rej0etbp\rhc7rej0etbp.exe/C:\Program Files\rhc7rej0etbp\rhc7rej0etbp.exe Infected: not-a-virus:FraudTool.Win32.AntivirusXP2008.af 1
C:\WINDOWS\system32\pphc3rej0etbp.exe/C:\WINDOWS\system32\pphc3rej0etbp.exe Infected: not-a-virus:FraudTool.Win32.XPAntivirus.qj 1
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\Reboot .exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Administrator\Desktop\smitfraudfix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1

The selected area was scanned.



I ran the SDfix then the Kaspersky scan and this is the result of the scan.

can you run another scan and post the log?

That was the scan after running the fix program. I'll run another one when I get back home tonight if needed.

Wow - I'm glad I found this forum - Thanks again - I followed the steps to installing the (T-R), Malwarebytes and (NOD). All I can say is that my computer has never ran like a top in a long time until now. I will take my fresh copy of Kaspersky Internet Security and toss it in the garbage bin for all the good it did me. I recommend using the (TuneUp 1-click Maintenance) afer downloading TuneUp Utilities 2008 - It gets rid of alot of the glitches post startup, like startup page flashing and slow boot.

Again ... Cheers ...

Laurentio,

In my eyes you're an absolute hero. Your advice properly sorted out my comp. I only downloaded the attachment on the UPS email because i was expecting a delivery from ups that day - uncanny conicidence! I followed your method in the final solution (TR, Malwarebytes and NOD32) and they worked a treat. In particular the NOD32 application really cleaned everything up.

I dont normally post anything on forums or such like but i had to on this one to let you know what a ball ache you saved me and ££££££!!

You've helped a lot of people and i am one who is very grateful of the advice.

Cheers again!

That was the scan after running the fix program. I'll run another one when I get back home tonight if needed.
Yes please, I would like to see another scan.

Wow - I'm glad I found this forum - Thanks again - I followed the steps to installing the (T-R), Malwarebytes and (NOD). All I can say is that my computer has never ran like a top in a long time until now. I will take my fresh copy of Kaspersky Internet Security and toss it in the garbage bin for all the good it did me. I recommend using the (TuneUp 1-click Maintenance) afer downloading TuneUp Utilities 2008 - It gets rid of alot of the glitches post startup, like startup page flashing and slow boot.

Again ... Cheers ...

Welcome and have a nice stay:)

Our company computer has becoming infected with what I am assuimng is the UPS Virus. I have followded your and others directions to remove it and have some up with some success. I have succesfully removed (Karina.dat, brviax.exe and buritos.exe along with some other accompanying infections)

Unfortunatley our internet has not been working since I oprgingally was alerted to an infection on this computer.

I have installed everything from AVG (got rid of brviax.exe), Malwarbytes (with update), Trojan Hunter, Trojan Removal (got ride of Karina.dat) and have even tried your original solution using SD Fix which found one infection.

I have also tried using Hijack this and I removed one file which I belived was blocking my acess to the internet but to no avail.

I then downloaded LSP Fix and it found a one problem and removed it but still the internet is down (both internet explorer and a completly fresh install of firefox)

I am at a lost for what I need to do to solve this problem.....

Here is my hijack this summary:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:38:05 PM, on 9/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\****og Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\UPS\WSTD\UPSNA1Msgr.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trojan Remover\Trjscan.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\UPS\WSTD\WSTDMessaging.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
^
(I removed using hijack this after the scan)

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: getsn32.msiesn - {A55CA42C-BF8A-4491-9073-6E32FC4E6250} - C:\WINDOWS\system32\getsn32.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\****og Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NA1Messenger] C:\UPS\WSTD\UPSNA1Msgr.exe
O4 - HKLM\..\Run: [{35cea368-bd59-a15c-6599-8d233d5acbd9}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\yibonuvtgbzvoznnt.dll" DllStub
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: UPS WorldShip Messaging Utility.lnk = C:\UPS\WSTD\WSTDMessaging.exe
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\WSTD\wstdPldReminder.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\webhancer\programs\webhdll.dll' missing
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: ,avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 4220 bytes

any help would be very much appreciated...

Laurentio,

In my eyes you're an absolute hero. Your advice properly sorted out my comp. I only downloaded the attachment on the UPS email because i was expecting a delivery from ups that day - uncanny conicidence! I followed your method in the final solution (TR, Malwarebytes and NOD32) and they worked a treat. In particular the NOD32 application really cleaned everything up.

I dont normally post anything on forums or such like but i had to on this one to let you know what a ball ache you saved me and ££££££!!

You've helped a lot of people and i am one who is very grateful of the advice.

Cheers again!

Thank you very much for the kind words, they are much appreciated!:)

Our company computer has becoming infected with what I am assuimng is the UPS Virus. I have followded your and others directions to remove it and have some up with some success. I have succesfully removed (Karina.dat, brviax.exe and buritos.exe along with some other accompanying infections)

Unfortunatley our internet has not been working since I oprgingally was alerted to an infection on this computer.....

...any help would be very much appreciated...

Hi U_Factor,

I see that we have an XPSP2 with IE6...(what about SP3 and IE7?)
If I can see from your logs the system is still infected.

1)
I would really appreciate you running my FINAL SOLUTION (STEP BY STEP) which was posted at the beginning of the thread.
I didn't say AVG but NOD32.
Not Trojan Hunter Spyware Doctor or God know what other software you have tried.
Run the posted solution please and get back to us with a new log.

Also, remove these programs:
Ad-Aware
AVG
Trojan Hunter
Disable Windows System Restore prior to the 2nd scan.

Threats on your machine...
C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
C:\UPS\WSTD\ UPSNA1Msgr.exe
O2 - BHO: getsn32.msiesn - {A55CA42C-BF8A-4491-9073-6E32FC4E6250} - C:\WINDOWS\system32\getsn32.dll
LSP provider 'c:\program files\webhancer\programs\webhdll.dll
...and not only those above mentioned....


2) ONLY after you've done all requested above start this level:

Download and scan with SUPERAntiSpyware (http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE) Free for Home Users
Double-click SUPERAntiSpyware.exe and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
Under "Configuration and Preferences", click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked (leave all others unchecked):

o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.

Click the "Close" button to leave the control center screen.
Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
On the left, make sure you check C:\Fixed Drive.
On the right, under "Complete Scan", choose Perform Complete Scan.
Click "Next" to start the scan. Please be patient while it scans your computer.
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
Make sure everything has a checkmark next to it and click "Next".
A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
If asked if you want to reboot, click "Yes".
To retrieve the removal information after reboot, launch SUPERAntispyware again.

o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.

Click Close to exit the program.
Good Luck.

ok so I have uninstalled all the other anti-spyware and virus programs and installed NOD 32 and ran a scan which found 2 infections but after a restart of the computer did not fix the problem. I also preiviously turned off auto system restore.

I then installed and ran a full scan using Super-AntiSpyware and here are its results...

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/03/2008 at 06:38 PM

Application Version : 4.20.1046

Core Rules Database Version : 3541
Trace Rules Database Version: 1530

Scan type : Complete Scan
Total Scan Time : 00:20:36

Memory items scanned : 354
Memory threats detected : 0
Registry items scanned : 4057
Registry threats detected : 0
File items scanned : 47452
File threats detected : 4

Adware.Tracking Cookie
C:\Documents and Settings\cheeseshopsb\Cookies\cheeseshopsb@www.bur stnet[1].txt
C:\Documents and Settings\cheeseshopsb\Cookies\cheeseshopsb@yadro[2].txt
C:\Documents and Settings\CSI SB STAFF\Cookies\csi sb staff@atwola[2].txt

Adware.AdRotate/System
C:\WINDOWS\SYSTEM32\YIBONUVTGBZVOZNNT.DLL


Then just to give you as much information as possible i ran another Hijack this scan and these are my new results

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:58:55 PM, on 9/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\****og Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\UPS\WSTD\UPSNA1Msgr.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\UPS\WSTD\WSTDMessaging.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: getsn32.msiesn - {A55CA42C-BF8A-4491-9073-6E32FC4E6250} - C:\WINDOWS\system32\getsn32.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\****og Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NA1Messenger] C:\UPS\WSTD\UPSNA1Msgr.exe
O4 - HKLM\..\Run: [{35cea368-bd59-a15c-6599-8d233d5acbd9}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\yibonuvtgbzvoznnt.dll" DllStub
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: UPS WorldShip Messaging Utility.lnk = C:\UPS\WSTD\WSTDMessaging.exe
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\WSTD\wstdPldReminder.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 3406 bytes


I have followded your steps and I still have no internet acess....

PS: Previous Problems such as constant pop ups and Windows Secutiy Center force changing my wallpaper to show a warning of my infected computer, all of these have been resolved either trhough your steps and previous actions.

What is the next step I need to take?

type cmd on your run box.
once there type ipconfig/all
post the full log.

ipconfig summary:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Owner>ipconfig/all

Windows IP Configuration

Host Name . . . . . . . . . . . . : csi-sb-shipping
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connecti
on
Physical Address. . . . . . . . . : 00-16-76-1E-D6-C4

C:\Documents and Settings\Owner>

also my comnputer has been sending me a new error message since I have run through these steps...

"Error loading C:\WINDOWS\system32\yibonuvtgbzvoznnt.dll the specified module could not be found"

There's no internet on that PC. How is the PC connected to the internet? USB modem? Ethernet - Cable modem? Wireless?
Also, the described error means that there's a program trying to load at the system startup. Go to run box and type: msconfig then press enter.
A new box should open. Go to start-up, select disable all, then click ok and restart if requested. That should cure the error. We still have to see what is wrong on the hardware layer with your network.
I would do a right click on my computer icon on the desktop and select properties down the bottom.
Once there go to hardware, device manager. Is it the network card disabled? Just right click and enable it.
regards,

ok so I turned off al running programs. I then followded your instructions and found my Intel Pro 100VE Network Adaptor which says it is running properly and was already enabled. I found out that our connection has just been restored so everything is operational now on that end, is there still some residual infection left over from the UPS Virus???

I found out that our connection has just been restored so everything is operational now....

Please detail.
Can you access the internet now? The connection has been restored by who?

Thank you Laurentio!!!! Your Final Solution using TR, Malwarebytes and NOD32 absolutely knocked out the buritos.exe, braviax.exe bug that I had on a machine in no time. I had tried many options before I found your solution, and I could never get those two (and a couple of others karina.dat, delself.exe) to go away. Those were just the ones I was aware of. Anyhow, Thank you very much for this site, and your solution!

you're more than welcome and thanks for joining us.

Have just found an easier and quicker way to remove UPS virus, burito.exe, braviax.exe and not only.:)

1. Download TR
from here (http://www.simplysup.com/tremover/download.html)
Install, update then follow the scanning instructions.

2 Download Malwarebytes
from here (http://www.malwarebytes.org/mbam.php)
Install, update then follow the scanning instructions.

1. Download NOD32 Antivirus
from here (http://download.eset.com/eval/win/eav/eav_nt32_enu.msi)
Install and update and restart when requested.

In same cases you might not be able to download/update on the infected computer. Just use a working PC, download on a USB stick then move them onto the infected PC and just follow the instructions.

It will take from 30 min to an hour or maybe more (depends on the level of infestations) but trust me, it works. I have just cleaned 4 computers.


Please let us know if the above posted solution has helped you or not.
It is not only about helping others but helping yourself and making us better. Open an account with us today and get an automatic confirmation email with your username and password that will save you time in future.
(It is free and it takes less than a minute)
Thank you.


What can I say Laurentio you saved me alot of friggin work. Now I don't have to restore my friends moms computer cause as far as I can see it is all gone with the final fix posted above. Thank you very very much my friend, and thanks in advance from my friends mother. :)

Ron, you're more than welcome and thanks for the kind words.
regards

My box was due for a format anyways...well i got bravidax.exe (UPS) it came from a java popup stating that it is a secure digitally signed applet, i ran it and bam. will a format/reinstall of windows clear it up? please help

yes it will clear it up.

Well, I have been trying to fight my virus problem for a while now. I have it pretty much beat, but still having some problems.

No matter what I do I just can't seem to get rid of the Antivirus XP program. The NOD32 catches it and keeps it from running, but even after it has said it is deleted, it returns after a reboot. That and a file called "blphc3rej0etbp" along with "lphc3...." "and pchc3....". I can manually delete the files out of the system32 folder, but they always return. Anyway to get rid of them permanently?

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\blphc3rej0etbp.scr (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\blphc3rej0etbp.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lphc3rej0etbp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\.tt5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.


That is the results after running Malwarebytes.

Did you read this?
http://support.bicestercomputers.co.uk/showthread.php?t=47

Yes, sir. And no help. Both of the programs find it, but none of them fix it.

Interesting. Very interesting...
Can you please run a full scan with SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.exe) in safe mode?
Once back to normal mode run a scan with HijackThis (http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download) and post the full log here.
Thanks.

wow i cant believe it worked. that was the best. no more annoying pop ups sayin my pc is infected. thanx alot.

Welcome :)

It worked!!!

Thank you for your help on this UPS Virus. The SDFix worked for me. Thanks again.
Randy

Like a dummy, I opened the ups virus and my computer went crazy. I followed the directions to use the SDFix and it worked like a charm. Thank you SOOOOOOOOOOOO much!!!!

you're more than welcome;)

Hi, I Have A Problem Because I Can Not Even Start The Computer In Safe Mode.. I Can Get Into The Ms Dos, But Have No Idea If I Am Capable Of Getting Rid Of The Virus Or At Least Removing The Files Which Stops Me From Getting Into Safe Mode From Ms Dos? Can Anyone Help Me With That?

Worked like a charm. Thanks, saved me from rebuilding 2 machines.:D

you're welcome.

Laurentio....
NOD32 has detected and deleted two instances of this nasty package in the past two months, so beware, it is still around, and just as menacing as ever...

My Sony PCGXE-17 has been performing perfectly since the fix, thanks again.

NOD32 works a treat, is low overhead and effective, silent updates,

For reference, my earlier postings are: #111, 108, 92, August 2008.

Robert...

received assistance elsewhere - lack of response this forum...

I got the UPS email a few days ago and found your material today. I followed the SDFix instructions and the report there said no TRojans detected but when I ran Kaspersky it detected two infections and one suspicious file. This is the report --

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, December 12, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, December 12, 2008 14:32:44
Records in database: 1454842
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 47641
Threat name: 2
Infected objects: 2
Suspicious objects: 1
Duration of the scan: 00:59:21


File name / Threat name / Threats count
C:\Documents and Settings\Me\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-275132c3 Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Me\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvm impro.jar-6d3811e3-21c60760.zip Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Me\Local Settings\Application Data\Microsoft\Outlook\archive.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1

The scan was stopped by the user.

I stopped the scan when it wa 22% done because I wanted to find out what it had found.

What do you suggest as next steps?

received assistance elsewhere - lack of response this forum...

And your question was?:confused:
As I can see that remark was the only post on our forum. are you sure the question was posted here?
with so many people saying thank you there must be something wrong with you....Hellloooo? :)

Laurentio....
NOD32 has detected and deleted two instances of this nasty package in the past two months, so beware, it is still around, and just as menacing as ever...

My Sony PCGXE-17 has been performing perfectly since the fix, thanks again.

NOD32 works a treat, is low overhead and effective, silent updates,

For reference, my earlier postings are: #111, 108, 92, August 2008.

Robert...

I know Robert; I have been in touch with ESET's labs every day since this UPS Virus appeared.
NOD32 is still very good on Viruses but somehow vulnerable to Malware infections. ESET is looking at Malwarebytes software at the moment as it has impressed even them its capacity of identifying the threats.
I have a huge archive of Viruses and Trojans that I have collected over years from clients machines (a collection that's still growing day after day, everyday)
The collection is very useful for my AV Comparatives as I run them on every month. The best so far was NOD32 which was usually missing some of the latest Malware "releases". Not missing them but unable to remove them. Yesterday, I run a scan with Malwarebytes on the whole archive. Believe it or not it has found nd remove all. ALL!
Amazing.
Stay tuned, will try keeping you updated.:cool:

Hi Suzycue,
Uninstall Java, scan the PC with Malwarebytes, remove what's found, reinstall JAVA, install NOD32 and scan the system once again.
Regards,

Okay I'll try that though in the meantime I ran malware and nod 32 and they didn't find anything. I'll let you know what happens.

Well I did everything you suggested. Neither Malware nor NOD 32 detected any problem but when I ran Kaspersky again it came up with the the same problems. I've downloaded the Kaspersky AV trial version and am going to run that.

Suzycue, can you send me the scan-log of Malwarebytes please. Also, the full log of Kaspersky.
thank you.

I have fallen foul of this nasty virus. I didnt have my brain engaged when I opened the attachment...

However, my laptop will not open the operating system or boot in safe mode, I am at a loss as to what I should do next. Any helpful suggestions would be gratefully received.

Thanks
Julian

2 options:

1. Remove the HDD put it in an enclosure and attach it to a working PC. Scan the external drive with Kaspersky and Malwarebytes.

2. Use a Linux Live CD, or Bart OS, PC Geeks, etc.

Hi Laurentio,

Thanks for all the hard work and updates you put here.

I accidently opened that email from UPS and now my pc is infected. I tried to follow your steps, but I CANNOT access anything, the whole screen freezes. I can't get online, nor can I open the files I downloaded onto my USB drive as instructed in your threads earlier. PLEASE, advice me on what to do next. I need the PC urgently for work and school.
Thanks!

Please follow the above mentioned solutions.

Are these the only 2 options i got at this point? What about the downloads I can get to another uninfected pc? Cuz my pc is Sony (complicated case) with mini disc, TV tuner, etc...Any other options than removing the HDD?

Where can I get Linux Live CD, or Bart OS, PC Geeks, etc???

http://www.downarchive.com/software/operating/4093-windows-xp-live-cd-with-kapersky-anti-virus-2009.html
You might have to register to get the download link. I believe that the registration is free.


Ups...it looks like the above link(download links) are down.
Try this one, I've just check it and it works just fine:
http://www.freshwap.net/forums/applications/16484-windows-xp-live-cd-kapersky-anti-virus-2009-can-update.html

I might open a Live CD's thread so people can download, try them and share any new or preferred versions them with us. What do you think?

I was able to download and run the 3 steps you mentioned in earlier threads, TR, Malwarebytes and NOD 32 antivirus. I spent the whole day just running them, and scanning and all that good stuff. HOWEVER, after the scan multiple times, quarantining and deleting as I was directed to do with these softwares, and did rebooting as directed, still I am having problems. NOW, When i boot up the pc, I cant even log on to open the desktop. Also, I was NOT able to go online either the whole time??

Please advice on what to do next.

Thanks. You have been very helpful. Again, much appreciated!

I also have Pc-Cillin anti-virus, but I have Inactivated it in the meantime since I have NOD32. Does that matter or causes any problems?

After another reboot, I was able to open up the desktop, but every time I try to open the Internet (Mozilla Firefox) it keeps thinking for a while and freezes on me??

You did well so far but the OS need some serious maintenance:

Remove any software you don't need or don't know from your system.
Do it with Advanced Uninstaller, the trial version.
Download from here. (http://www.innovative-sol.com/uninstaller)
Advanced Uninstaller can help cleaning the start-up programs and repair the registry.
Read the manual or the instructions. (http://www.innovative-sol.com/uninstaller/manual/index.htm)
Good luck.

Thanks to your help.

I think now the problem I'm having is that NOD32 and Pc-cillin are both active and are blocking me from doing anyhting. I tried to remove NOD 32 in safe mode, but was not able to???
How can I remove it? Tried to uninstall but freezes on me too.


Any suggestions?

Any thoughts on this issue? Thanx.

Thanks to your help.

I think now the problem I'm having is that NOD32 and Pc-cillin are both active and are blocking me from doing anyhting. I tried to remove NOD 32 in safe mode, but was not able to???
How can I remove it? Tried to uninstall but freezes on me too.


Any suggestions?

Remove any software you don't need or don't know from your system.
Do it with Advanced Uninstaller, the trial version.
Download from here. (http://www.innovative-sol.com/uninstaller)
Advanced Uninstaller can help cleaning the start-up programs and repair the registry.
Read the manual or the instructions. (http://www.innovative-sol.com/uninstaller/manual/index.htm)
Good luck.

Hi all

I think i've removed my UPS virus almost totally - at least ive gotten control back of my PC and its working normally it seems.

I used trendmicro housecall, spybot search & destroy(took almost all i think)., sdfix, , rmvirut.exe, windows malicious software removal (found 1 more virus) in that order.

Most were run in safemode, but after sdfix i was in normal boot mode.

Now my svchost.exe connections look really scary to me, but I dont really understand them - picture attached. Can anyone help me figure out what all those smtp connections means and how to stop it if necessarry?

caught the virus yesterday and took all night and today to remove; tried the Kaspersky fix first but had no success. We used Malwarebytes' Anti-Malware 1.44 and it appears to have removed it; still have a white desktop issue to resolve but thank Providence that I didn't have to wipe the drive from scratch.
:p
yes, it is the new variant of UPS.
here is the resume of emails i have sent to our customers so far:


VERY IMPORTANT! (23-07-08 / 3:30AM)
Do not open any emails with UPS tracking code/number subject as it might be the new UPS virus.
The virus deploys braviax.exe and burito.exe and the removal procedure might lead to windows corruption.
Kind regards,

UPDATE (24-07-08 / 7:10AM)
http://urbanlegends.about.com/b/2008/07/15/ups-virus-warning.htm
The new virus is apparently a variant of the one described in the link above.

UPDATE (24-07-08 / 7:20AM)
http://wordpress.com/tag/ups-virus/
The new variant.

UPDATE ( 24-07-08 / 7:30AM)
A possible removal procedure might be found here:
http://support.bicester-computers.com/forumdisplay.php?f=31

We have a laptop infected with the UPS virus, however, unlike any other stories I've read, our computer will not boot up anymore, eithre normnally, in safe mode or to a command prompt. Has anyone else had a similar experience with this virus and have a solution?

Boot with ERD or UBCD4WIN and try to run some of their repair programs - like mbrfix

This virus is evidently back as I received the email yesterday saying something about a non-deliverable UPS package. As I had received a package from Amazon the day before, I thought there might be some confusion so I opened the attachment and....
...I spent the rest of the day trying to recover, and have still not fully recovered all files and stuff

Hi,
last fri I received an email via my yahoo account from UPS ( which I now now is not). I think is nasty virus has emerged again.

Avira scanned the file before I unzipped it, I did not get any warning, even though I had updated avira files before, then it went spirling downhill!!

I had so many windows opening up, I immediately disconnected from the net then proceded to virus scan with Avira. At the end of the scan, it could not help as it was infected. I could not open the report, even though there were warnings.

I tried Spybot scan which found a majority of problems which I allowed the fix. I did not think it wise to go on the net as I kept getting Internet Explorer pages opening up.

All during this time I was getting Norton virus updates and warnings - I dont have nortons so ignored them and did not open any of the files. Just closed at the X them and made sure i was disconnected from net.

After spybot cleaned up, I used ATF to clean my temp files and then turned off and re-started.

Since then I can not log on to windows, even in safe mode and adminstrator. I tried and logging on a number of times but it keeps logging me out. I am not getting past the log on page.

I cannot seem to get into windows and think I must have messed up somewhere.

I have spent the weekend reading forums and pages and pages of advise. I read this forum thread as well as thread: http://support.bicestercomputers.co.uk/showthread.php?p=150, cannot log into windows.

I also read the final solution too. As this cannot assist my issue I wonder if you can once again re-list the procedure to boot up and what I need to download in list order

I have all the reboot disks but it has become confusing on what exacty I need to download and from where.

I think I am capable to follow instructions but bit scary as its quite daunting. Not an expert, not a savvy, just know bits and can follow a routine so long as its explained.


Look forward to your reply and any assistance you can provide

mandy nathali

Nathali,
it is quite simple I must say: Turn your PC and load windows in safe mode.(press F8 several times while the PC is booting then select safe mode from the menu)

Once in safe mode install and run Malwarebytes (previously downloaded and copied on a USB stick)

Also, you can try this lovely piece of software from Olzen :)
http://freeofvirus.blogspot.com/

This should suffice.
x

Hello Laurentio, You have done some good work here, so well done!! Stupidly in an absent moment, I also clicked on the file for the UPS, and saw nothing. Since then my computer has some minor problems, nothing major, so I wonder if I am infected, particularly as I have current Symantec loaded. A scan found nothing, except a Trojan Bredolab, whatever that it. I tried using your SDFix, but it did nothing, as if it was not working on Vista. How would you recommend I proceed? How can I find out if I am indeed infected. Thanks for the advice.

Hello folks.First off,Laurentio ,thanks for giving back some hope to guys like me.
It seems the web is just a vast ocean filled with sharks..then I found your forum.
Needless to say I got suckered into opening this on Friday,early,bleary eyed and half asleep.
Ironically my UPS parcel did arrive..on Monday..doh!
I dont know a hell of a lot about 'puters.Just an average bloke who shops,banks, emails and plays COD4.
I've tried most if not all of the above suggested solutions and reckon I'll save the heart ache and go for a Windows reinstall.
Ive lost net access and have been porting the virus killers from my other PC.
At last try,I had left the 'Prot' anti virus running for nearly 12hours and came back to find it hadn't actually progressed from where I had left it.
Just a heads up...I have received two such emails since Friday ,one from'UPS' and now one from 'DHL',both with the same schtick about being unable to deliver.
I'm hoping that the reinistal will cure all and I can put all this crapola behind me...once bitten,and all that.
I can only hope that the author of this nasty masterpiece (nasterpiece?) meets a terrible splattery end.Git.
Any hoo thanks for all you are doing...there are a lot of us who need you.
Cheers.:)

oh...fezian this is one of the nicest posts I've seen in my life. this is what make me run this forum, this is what make me spend hours and days in the front of the computer. your nice words are much appreciated.
thank you.:o

jeff, see the final solution post, it has been recently updated.
x

Laurentio I am at my witts end :( I thought I had stuck gold when I found your forum but sadley I am no further removing the UPS virus from my works PC.
Unlike most others I cannot get my PC to boot in safe mode or any other mode :( I have removed the drive and scanned it using a varity of anti malware/virus software encluding the various software suppliers mentioned on the forum. All have found and removed various items but it still wont boot!
I dont want to format and reinstall as all my data will be lost. I know I should have backed it all up but I havent so I really need a solution.
Please please can you assist!! OS XP pro sp3. Thanks Chris.

Chris, sorry to hear that.
Please detail the "boot" part. Are there any error messages?
Please advise.

Hi, No Boot errors shown! I hit F8 get then select Safe mode get the usual screen showing safe mode at the very top with windows version etc. It then goes to the login screen showing me and admin I select me enter password it says loging in then within seconds logs me straight out again no desktop or icons! This happens on both safety mode and normal mode. Hope that helps? BTW had the same virus sent through to my .mac account only difference is its hoax name is DHL!!! Can send it if it will help? Chris.

You are most welcome Laurentio.
Like I said Im not really into the ins and outs of all this but I think I can handle the reinstall.
This seems like a friendly place and I feel safe enough asking stupid questions..so brace yourself for a stupid question:
Under System info (all programs>Accessories>system>tools etc...)the number formatted;*****/***/*******7***** is presumably my registered key for windows?
Yeah, that's the level of my computer savvy :D
I was on a forum yesterday where I was seeing responses to this UPS problem which were just downright idiotic.

For example: 'how does anyone fall for this? Point...And...Laugh.'

This virus is anything but funny...

I was just unlucky enough to be waiting for a UPS shipment.
I guess that's how you fall for it......:(

Hello laurentio, hello folks,

Sadly i was dealing these days with UPS so i downloaded the attachment, it was as mentioned a .zip file claiming to be an invoice.

When i double clicked on the .zip to see the content of the file, WinZip prompted me an alert saying:

"Cannot open file, this does not seem to be a valid archive, if you downloaded this file try downloading the file again".

The trigger of the infection is the .zip file itself through a WinZip exploit using a fake "cannot open file" or the virus is something compressed inside the zip file itself like an .exe file?

My laptop is not showing any strange behaviour till now so I'm wondering if I've been just lucky or if the infection is going on in a hidden way.

Has any other user experienced a "canot open file" alert from WinZip?

Thanks, wok3

Hello laurentio, hello folks,

Sadly i was dealing these days with UPS so i downloaded the attachment, it was as mentioned a .zip file claiming to be an invoice.

When i double clicked on the .zip to see the content of the file, WinZip prompted me an alert saying:

"Cannot open file, this does not seem to be a valid archive, if you downloaded this file try downloading the file again".

The trigger of the infection is the .zip file itself through a WinZip exploit using a fake "cannot open file" or the virus is something compressed inside the zip file itself like an .exe file?

My laptop is not showing any strange behaviour till now so I'm wondering if I've been just lucky or if the infection is going on in a hidden way.

Has any other user experienced a "canot open file" alert from WinZip?

Thanks, wok3

I might have found an answer to my question here: http://blog.mxlab.eu/2010/01/19/new-bredolab-trojan-variants-in-dhl-and-ups-tracking-emails/

it talks explicitly of an .exe file inside the .zip file attached to the fake UPS email. In the comments of that post another user says that:

"i have received an e-mail this morning from dhl regarding this…tried to open it but it wouldnt let me…hope ive not done aything to my computer. the emial address they used for me wasnt mine but it managed to reach my computer. dont know how to get rid of this. anyone help please".

Even though it could be still a new version that uses a WinZip exploit or maybe there's a bunch of those emails that have a corrupted .zip attachment so that you cannot even see the .exe file insiede of it (wich would have been bettere for me as I wouldn't never clicked on an .exe fle... but i did it on a .zip.. :(

Can anyone confirm that is the .exe file inside the "real" virus or it might be as well the .zip file?

Hello Laurentio...Didn't think I would be troubling you so soon :rolleyes:
I've tried a fresh install of XP ..and get as far as the 'blue-screen-set-up page'.
So far so good.I now have 3 options:set up XP,repair XP; and Exit.

Hitting the enter key to set up appears to do nothing.
Hit repair and off it goes.
Trouble is the virus is still in there when it re-boots.

I got my Internet connection back though.

Any help is GREATLY appreciated.

I am ready to toss this PC through the nearest window.
Doesn't have to be open either....:mad:

Update!!After many hours of frustration ,and a repair install of XP, I managed to connect to the net and Download 'Sysinternals Process Explorer':[/URL][url]http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx (http://www.bleepingcomputer.com)

This turned up an explore.exe.exe which I removed.

Then downloaded Malwarebytes,updated and ran it.
A couple of runs through with 'F-prot' and 'Trojan Remover' and voila!
A lot of heart, ache but I managed to nail that horrible little sucker!
Hope that is helpful to somebody who may be at where I've been for over a week..
Good luck.:)

Latest working solution here:

Have just found an easier and quicker way to remove UPS, DHL virus, burito.exe, braviax.exe and not only.:)

1. Download Remove Fake Antivirus
from here (http://freeofvirus.blogspot.com/)
Install, update then follow the scanning instructions.

2. Download Malwarebytes
from here (http://www.malwarebytes.org/mbam.php)
Install, update then follow the scanning instructions.

3. Download Panda Cloud
from here (http://www.cloudantivirus.com/en/)
Install, update ten restart when requested.

In most of the cases you won't be able to download/update on the infected computer. Just use a working PC, download on a USB stick then move them onto the infected PC and just follow the instructions. Also, the safe mode scanning is recommended.

Latest working solution here:

Have just found an easier and quicker way to remove UPS, DHL virus, burito.exe, braviax.exe and not only.:)

1. Download Remove Fake Antivirus
from here (http://freeofvirus.blogspot.com/)
Install, update then follow the scanning instructions.

2. Download Malwarebytes
from here (http://www.malwarebytes.org/mbam.php)
Install, update then follow the scanning instructions.

3. Download Panda Cloud
from here (http://www.cloudantivirus.com/en/)
Install, update ten restart when requested.

In most of the cases you won't be able to download/update on the infected computer. Just use a working PC, download on a USB stick then move them onto the infected PC and just follow the instructions. Also, the safe mode scanning is recommended.

I tried this by dowloading to my stick from my laptop but when I go to open them on the infected computer is gives me an error message of "Windows can not access the specified device, path or file. You may not have permission to access the item." Any ideas here?? This is the same error I now get when I try to access anything on my desktop.

Thanks!!!

The UPS computer virus caused quite a lot of problems. Below are some steps I found that will help you to remove the UPS virus:

-Delete the mail that was sent, received and also the ones in outbox and Outlook.
-Delete all the files, not any of the folders, from the "c:/documents and settings/yourusername/localsettings/temp" folder.
-Run some cleanup scans with your anti virus or malware software and the problem will be done with.

I hope it helps.Datanumen.com (http://www.datanumen.com)